By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

have made surprising requests that cost you more than you anticipated.

With one year of Sarbanes-Oxley experience under their belts, IT executives have learned valuable lesssons in preparing for audits, such as establishing comparative metrics before the auditors arrive.

One tip sheet for "increasing your audibility" is available in The Visible Ops Handbook, distributed by the Information Technology Process Institute.

To date, 17,000 copies of the $19.95 handbook have been sold, according to Kevin Behr, president and founder of the Information Technology Process Institute, a not-for-profit group focused on researching, benchmarking and developing best practices for IT executives. Here is a portion of one of its popular cheat sheets, excerpted from the handbook.

Ask the auditors what they are looking for before an audit. Ask them for their audit objectives, if any pre-audit checklists.

Make sure to list your perceived risks. Sort them in descending order with the highest risks at the top, along with the controls you created to mitigate them.

Document your preventative controls, and have detective controls in place to show they work. Document the change management process. For each authorized change, document the configuration changes from the detective controls to show that the changes made were within the scope of the work order. File the data collected about change requests and make it readily accessible. In some organizations, all of the above information lives in a physical three-ring binder.

Use Change Advisory Board meeting minutes to show that meetings are being attended and used to manage change.

Keep a current and accurate asset inventory of hardware and software.

Document all internal audit procedures. For example, if your policies state that firewall logs are monitored by a system with exceptions reviewed, then you must have proof of following that policy through logs of one form or another.

Document all outages and unscheduled downtime in the systems along with corrective actions taken.

Keep current documentation of all exceptions to policies.

List any security incidents along with corrective actions taken.

Be able to produce previous audit findings, analysis of the findings and progress made against findings that warranted corrective action.

"More control doesn't equal more bureaucracy equals more work," Behr said. "It turns out, those with control can do more with less and do it more quickly and with better quality."

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy